Some Crazy Ideas From Caspan's Head!

Menu

How Smart is BlackBerry Picture Password? Smart!!

BlackBerry OS 10.2.1 has added a new and very innovative feature to the OS called Picture Password. What Picture Password does is it allows you to chose an image, and then place a number (0-9) somewhere on that image. Picture Password replaces the need to type in a password or PIN, to unlock your device you just move the number you chose to its correct spot in the image. Not only is this easier it is actually more secure. The reason Picture Password is so smart is because of how it is designed, even if someone is watching you unlock your phone they can’t tell what your number is or where on the image you placed it. At first though you could challenge this and say “well if someone puts their finger on their number then moves it to the correct location than someone could see that and know their Picture Password” (This is also what I first thought). It turns out that this is just a common misunderstanding of how Picture Passwords should be used. To explain how Picture Password should be used I am going to use some mental visuals. Let’s think way back to overhead projectors, remember them from school? You could take a sheet of transparency plastic film, print something on it and then project that on the wall, and everyone could see this. You could than take an image of random numbers and place it on top of the exiting sheet. The numbers would show on top of the previous image like they were floating above the original image. To move the sheet of numbers you don’t have to put your finger on the number and move the whole page, you could simply grab the top sheet by any edge and move the number sheet till your number is in the correct location. No one can tell what number nor could the see the location you move it to. This is the exact same principal Picture Password uses. Picture Password also randomizes the spacing between rows and columns making it even harder to guess.

I will say this, Picture Password is many times stronger then typing in a PIN or password into a keyboard. Why? Because when you type your password into a keyboard and someone is looking, they can see what you are typing in. The letters pop up as you press them and they can just seen exactly what you type in by simply looking at your fingers. With Picture Password you could watch a user unlock their device 20 times, Kevin from CrackBerry even posted a video showing him unlocking his device on video and contest declaring “Try to guess my Picture Password!”. This is what makes Picture Password more secure when compared with using a password or a PIN. So is Picture Password a perfect solution that will change the way we log into every password protected device going forward? Well it’s better security that’s for sure and let’s be honest who doesn’t like more security that is easier than a password to use? Now with that said it is far from the perfect be all to end all security measures. You can’t just run around showing everyone your Picture Password and hope that no one will ever guess it! Showing your Picture Password can still leak information about your Picture Password each time its used, IF… you know what to look for!

Let’s say that your BlackBerry holds the worlds secrets and someone would like to get those secrets. How would someone go about getting that information? Realistically there are only a few ways to get into a protected BlackBerry 1) You know the password, obvious but needs to be said, or 2) Use some kind of exploit to bypass the need for a password. Keep in mind we are talking about a BlackBerry here, security comes first and not to brag but it has never been compromised to date. That does not mean there is zero chance it could ever happen, but I would be willing to bet that most people don’t know someone with knowledge of a Zero Day exploit to do this. When it really comes down to it you have one choice, You need to know the password!

Let’s explain how BlackBerry security works first. A BlackBerry device does not mess around when it comes to security. When you set a password on your device it forces a security policy that limits the number of attempts to guess your password. What happens when you reach that limit? It wipes the device. I know this can be “hard core security” for someone that just wants to protect their personal Facebook or Twitter account but you can only do security one way, the right way! This protection limits a user from just guessing (brute force) till they guess the correct password. So you better know what the password is or else the data you were looking for, will be scrubbed from the device! So… you can’t guess the right password, you can’t watch the user log in to get their password, how could you possibly get the password?

Simple just capture the users entering their Picture Password 2 or 3 times, and yes I am using sarcasm when I say simple. This method requires you to have either A) Some kind of application that takes screen captures on the users device (realistically this is not going to happen if you can’t get into the BlackBerry) or B) you will need to use surveillance by video or camera. I know this is a little much but it is what you need to get the info you require, welcome to BlackBerry security! Not to mention these images you capture need to be just as the user places his number in the correct spot of the image making it even more complicated. let’s just say you did get your 2 or 3 perfect pictures for arguments sake: I have posted my images I captured below:

Image 1

Image 2

Overlay of Image 1 and 2

Once I have acquired these 2 images I can use them to leak information about the Picture Password. I know some of you might be saying there is no way that you can get this clear of an image but this is a just a prof of concept so I am using best case scenario and using screen shots. BUT.. this could very well could be a surveillance picture. If you look at the Overlay picture above we can clearly see the two Zeros over the orange marble line up prefect and noting else does. Because of this we determine without a doubt that this is the users Picture Password.

Please understand this does not demonstrate that Picture Password is weak, in fact it means the exact opposite! Picture Password is still at its worst 2x more secure than a PIN number or keyboard password. These old school methods of password entry all show your password the first time. And this can all be done with nothing but the naked eye. Where Picture Password on the other hand would require expensive and tricky surveillance (that most of us would never do) and at minimum of 2 clear images to compare to each other. Not to mention it would be very tough to get just 1 picture with enough quality, no hands in the way, no glare etc let alone more. The more issues there are the stronger Picture Password gets. Picture Password is a very strong method of securing your BlackBerry device….. But wait!!! It gets more secure. BlackBerry has added a curve ball to the problem by changing the spacing of the numbers randomly.

Is this changing of spacing really making Picture Password more secure? Well it depends what you are defending against. Let’s look at the two scenarios A) Someone visually watching over your shoulder as you enter your Picture Password password or, B) Someone recording your screen as you enter your Picture Password using surveillance. When you look as scenario A where someone is watching you visually, this changing of spacing is actually a good thing. I will try to explain why as this can be tricky to mentally image. Lets pretend the spacing between numbers never changed. When you would enter your Picture Password all the numbers would always be in the same position from each other, this is because they are in a grid fashion and when your secret number is in the right spot then all the other numbers will always be their same spots. So lets use ‘Image 1’ from above. See how when I put the number zero in the middle of the orange marble that there is a number in the center of the blueish purple marble on the bottom right edge? If we kept the spacing the same then every time I put a number in the bluish purple marble that would mean that there would be a number in the hot spot of the orange marble. Now granted it would not always be the right number but, you would have a 1 in 10 chance it would be right! So by changing the spacing it prevents this kind of attack because if I put a number in the bluish purple marble there is not always one in the orange marble. This prevents some one from guessing the location of your hot spot just by knowing where one number goes. Again very smart of BlackBerry

Now lets look at scenario B where someone is using surveillance to get screen captures of your device, changing the spacing actually helps to reveal the password. Why? Because for the same reason it helps before it now hurts us. You can now overlay the two images and you know exactly where the hot spot is because they are the only 2 spots that align. Below are a few examples of how the spacing changes. I have tried to make this more visual by drawing lines down the middle of each row and column.

Large Spacing (6×8)

Medium Spacing (7×9)

Small Spacing (8×10)

All overlayed

I have found that the spacing vertical and horizontal changes each time. You can see by the final overlay, there are no other areas that line up prefect other than the hot spot. There are a few that come close, but close is not enough as Picture Password requires that you be aprox 10px close from what I have found. To show further I have added a few more examples below to explain this. The first row is all comparisons where the spacing is different. You can see that with only 2 pictures you can determine exactly what the Picture Password is. Where as the second row shows if the spacing was the same, there are a lot more numbers that overlap each other. This would mean that it would take more images to determine the hot spot and number definitely. With that said BlackBerry security policy defaults to 10 tries to guess a password. So unless a user changes that security setting all these examples have less than 10 possibilities so they could still access the device.

2 Samples
Different Spacing

2 Samples
Different Spacing

2 Samples
Different Spacing

2 Samples
Different Spacing

2 Samples
Same Spacing

2 Samples
Same Spacing

2 Samples
Same Spacing

2 Samples
Same Spacing

These examples show that by randomizing the spacing it makes it easier to guess your Picture Password when you are being survivaled. On the other hand it also shows that it makes it harder for someone to visually guess your password. Which one is a more realistic attack that is going to happen each day? I would assume the visual attack. You would have to be pretty damn important to warrant that kind of surveillance just to get your Picture Password. BlackBerry made a good decision here by adding random spacing.

So what does all this mean? Well to me it means you have one hell of a secure device in your hand!! Period!! Is there a way to make it more secure? Sure, there is always a way to make things more secure, but it tends to make it more complex. Like the old saying goes “the more secure something is the less user friendly it is, the more user friendly something is the less secure it is” If I had any suggestions to strengthen Picture Password it would be this:

Don’t allow the number spacing to be random each time they cancel the home screen lock. The spacing should only change after a successful log in. If a user was smart and used the method I mention above of knowing where 1 number goes, and they know what the spacing is. Well with that info they can keep canceling the lock screen and then opening it again till the right number of spacing comes up. This would allow them each time to have a 1 in 10 chance the number above the hot spot is correct.

Allow the user to create more then 1 Picture Password. When the device is locked it would chose a random one of your set Picture Passwords. This would still leak information if someone was surveilling you but it would take much longer for them to capture the information making it much harder.

Make the numbers denser, the more numbers on the screen the harder it is, as shown by my examples above, the more numbers on the screen the more combinations there could possibly be.

Allow less guesses when using picture password. 5 would be the max I would set it to for more security.

What are your thoughts? Do you like the new Picture Password? I’ll tell you one thing I will be recommending all my BlackBerry friends who have a password or PIN to switch over to Picture Password! Even if they don’t have a password, Picture Password is so easy its stupid!

It’s worth mentioning that the number you select doesn’t have to be in the EXACT spot every time… a few mm in either direction seems to work, so in real life, even with the overlayed images, it would be even more difficult to find the solution.

Thanks for the feedback, from my testing you need to be accurate to about 10px which is a pretty small tolerance to be honest. I have been using it for a little while and sometimes I can be off just a little bit and it will reject the try. All of my images are tests that worked so you only keep image captures that work. So if you compare only images that work you know the are all within 10px.